Privacy Policy

This platform is operated by Adjunto Tech, Lda., a Portuguese private limited company (sociedade por quotas), with registered office at Rua General António César de Vasconcelos Correia, Torres Novas (parish of Torres Novas: Santa Maria, Salvador e Santiago; municipality of Torres Novas), holding the single registration and legal entity number (NIPC) 519470036, with share capital of €1,000, incorporated through the Empresa Online service of the Portuguese Institute of Registries and Notaries (hereinafter "Adjunto"). Contacts: • General questions and customer support: suporte@adjunto.pt • Data protection and exercise of rights (GDPR): privacidade@adjunto.pt Adjunto is not legally required to appoint a Data Protection Officer (Article 37 GDPR), as its core activity does not consist of large-scale processing of special categories of data or regular and systematic monitoring of data subjects. All data protection requests are handled through the privacidade@adjunto.pt channel.

Adjunto plays two distinct roles depending on the category of data involved: A) DATA CONTROLLER When we collect data directly, determining its purposes and means. This includes: • Account data (name, email, password, professional profile) • Communications with customer support • Technical and usage data (access logs, aggregated statistics) • Billing data • Marketing communications, where authorized B) PROCESSOR, under Article 28 GDPR When a CUSTOMER (the club or any user who enters third-party data, including coaches or technical staff on the Adjunto One and Adjunto Base plans) introduces data about athletes, members, teams, matches, injuries, finances or any other information into the platform. In these cases: • The CUSTOMER is the Data Controller for the data they enter • ADJUNTO processes the data only following the customer's instructions and to provide the service • The customer is responsible for the legal basis, consents, informing data subjects and fulfilling the GDPR rights of the respective athletes, members or other third parties • Adjunto provides tools for the customer to meet these obligations A Data Processing Agreement is available on request at privacidade@adjunto.pt.

As CONTROLLER (data we process directly): • Account data (name, email, password, profile): contract performance (Art. 6(1)(b)) • Communications with customer support: contract performance and legitimate interest (Art. 6(1)(b) and (f)) • Technical and security logs: legitimate interest (Art. 6(1)(f)) • Usage statistics (Google Analytics with anonymized IP): consent, collected in the cookie banner (Art. 6(1)(a)) • Billing: compliance with a legal obligation (Art. 6(1)(c)) • Optional marketing communications: consent (Art. 6(1)(a)) As PROCESSOR (data entered by the club into the platform): • Sports data: teams, attendance, matches, statistics • Member data: records, fees, contacts • Minors' data: the club ensures the applicable legal basis (typically performance of the contract with the athlete or their legal representative). Law no. 58/2019 sets 13 years as the minimum age for direct consent in Portugal • Health data (when the club uses the Clinical module): processed only in the context of sports practice, with access restricted to the Doctor profile, whose assignment is the club's responsibility. Typical legal basis: Art. 9(2)(h) (healthcare by a professional bound by secrecy) or explicit consent (Art. 9(2)(a)). The applicable basis is determined by the club

Adjunto NEVER sells, trades or transfers personal data to third parties for marketing, advertising or any other commercial purposes. We use the following subprocessors to provide the service, all subject to contractual obligations of confidentiality and GDPR compliance: Supabase, Vercel, Railway, Stripe, Resend, Google Workspace and Google Analytics. The detailed and up-to-date list (each provider's purpose, infrastructure location and applicable DPF/SCC safeguards) is available on the Security page and can be requested at privacidade@adjunto.pt. We give advance notice of any material changes. We may also disclose data when required by law or by a competent authority.

The primary data of clubs and athletes is stored on servers located in the European Union (Supabase, Frankfurt). Where subprocessors have a presence outside the European Economic Area (essentially parent companies based in the US), the safeguards provided for in Chapter V of the GDPR apply: adherence to the EU-US Data Privacy Framework (DPF), Standard Contractual Clauses (SCC) and additional technical measures, such as encryption in transit and at rest.

We retain personal data for the following periods: Data we process as CONTROLLER: • User account: while the account is active and up to 30 days after its deletion • Billing: 10 years, due to tax requirements (Art. 123 of the Corporate Income Tax Code) • Technical and security logs: 12 months • Usage statistics: 14 months (Google Analytics 4 limit) • Customer support communications: 24 months after resolution Data we process as PROCESSOR (on the club's instructions): • For the duration of the contract with the club • After termination: 10 days for the club to export the data, followed by permanent deletion (see Terms of Use, section 5) Applicable legal periods (notably tax and accounting obligations) prevail over the periods indicated above.

We implement appropriate technical and organizational measures, including: TLS encryption in transit, encryption at rest, profile-based access control, strengthened authentication for sensitive profiles (for example, the Doctor profile), regular backups and continuous monitoring. Data breach notification: should a breach occur affecting data processed on behalf of a customer, we notify the customer (the controller) without undue delay, within a maximum of 72 hours after becoming aware of it, under Article 33(2) GDPR.

Data subjects have the following rights: • Access to personal data • Rectification of inaccurate data • Erasure ("right to be forgotten"), when applicable • Restriction of processing • Objection to processing • Portability (in a structured, machine-readable format, such as CSV or JSON) • Withdrawal of consent at any time, where consent is the legal basis How to exercise them: • For data we process as CONTROLLER (account, communications, billing): contact privacidade@adjunto.pt • For data about you entered by a CUSTOMER of the platform (for example, by your club or by a coach or technical staff on the Adjunto One or Adjunto Base plans, as an athlete, member, guardian, etc.): contact that customer first, as they are the data controller. Adjunto will forward any request received to the relevant customer, under Art. 28(3)(e) GDPR No automated individual decisions with legal effects on data subjects are made (Art. 22 GDPR). You also have the right to lodge a complaint with the supervisory authority: the Portuguese Data Protection Authority (CNPD, www.cnpd.pt).

This Policy may be updated. We will communicate material changes at least 30 days in advance, by email to registered users. The version in force is the one published on this page, with the last-updated date visible at the top. Contacts: • General questions: suporte@adjunto.pt • Data protection requests (GDPR): privacidade@adjunto.pt